14 WS-Trust Use Cases

The use cases in this chapter demonstrate the use of the three security token services that OWSM supports: Oracle STS, Microsoft ADFS 2.0 STS and OpenSSO STS. The use cases also demonstrate both simple trust and web services federation, and demonstrate the different types of SAML policies.

The following sections provide two high-level use case examples of web services federation using Oracle STS and Microsoft ADFS 2.0 STS.

In the first example, Microsoft ADFS 2.0 STS is used as the IP-STS and Oracle STS is used as the RP-STS. Transport security with SSL is used to protect the service, the RP-STS and the IP-STS.

In the second example, the STSes are reversed, with Oracle STS being used as the IP-STS and Microsoft ADFS 2.0 STS being used as the RP-STS. SAML holder-of-key (HOK) message security is used to protect the endpoints.

Note:

In the following sections, high-level configuration tasks for Oracle STS and Microsoft ADFS 2.0 STS are provided. For detailed information on how to perform these tasks, refer to the documentation for the particular STS:

14.1.1 Federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS

In this high-level use case example, Microsoft ADFS 2.0 STS is used as the IP-STS and Oracle STS is used as the RP-STS. Transport security with SSL is used to protect the service, the RP-STS and the IP-STS.

14.1.1.1 Configure the Service

Follow these steps to configure the service:

Attach the following policy to the service:

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

Import the signing certificate for the Oracle STS /wssbearer endpoint into the OWSM keystore.

The request that is generated and written to the owsm.csr file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team at https://mahogany.red.iplanet.com.

Access the Certificate Management Server at https://mahogany.red.iplanet.com, click SSL Server in the left pane, and paste the contents of the .csr file, starting from BEGIN CERTIFICATE REQUEST and ending at END CERTIFICATE REQUEST, into the PKCS # 10 Request field.

Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page.

Copy the certificate content (PKCS # 7 format) starting from BEGIN CERTIFICATE to END CERTIFICATE into a file with .cert extension and import the server certificate into the <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks file by using the following keytool command:

The previous step may need to be repeated for client side truststore.jks file. Delete any existing rootca aliases from that file and import the new one as shown above (changing the location of the keystore file).

To configure GlassFish with the new certificate, access the Administration Console at http://hostname:admin-port/. Navigate to Configuration -> HTTP Service -> http-listener2 (default SSL enabled port) -> SSL, and change the certificate nickname from s1as (self-signed cert) to owsm.

Restart Glassfish.

14.2.2 SAML Holder-of-Key With Message Protection Scenario

The following procedure describes how to configure SAML holder-of-key with message protection using WS-Trust with OpenSSO STS. This example uses a WebLogic Web service and SOA Composite client to demonstrate the scenario.

To configure SAML holder-of-key with message protection using WS-Trust with OpenSSO STS:

By default, the oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy policy is configured with token type of SAML 1.1. If you wish to configure the token type to be SAML 2.0, you will need to make a copy of the policy and edit it, as described in "Cloning a Web Service Policy". (This value should match the client policy.)

The sts.auth.user.csf.key should be set to the user credentials available in the default OpenSSO STS configuration. Namely, username test, with password set to test. Though, it is not required to be set for the X509 requestor token.

By default, the oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy policy is configured with token type of SAML 1.1. If you wish to configure the token type to be SAML 2.0, you will need to make a copy of the policy and edit it, as described in "Cloning a Web Service Policy". (This value should match the service policy.)

14.2.3 SAML Sender Vouches with Message Protection Scenario

The following procedure describes how to configure SAML sender vouches with message protection using WS-Trust with OpenSSO STS. This example uses a WebLogic Web service and SOA Composite client to demonstrate the scenario.

To configure SAML sender vouches with message protection using WS-Trust with OpenSSO STS:

Attach the oracle/wss11_saml_token_with_message_protection_service_policy policy to the WebLogic Web service (there is no corresponding issued token policy for SAML sender vouches scenarios) and override the keystore.enc.csf.key to specify the service encryption key alias and password.

Note:

By default, the oracle/wss11_saml_hok_with_message_protection_service_policy policy is configured with token type of SAML 1.1. If you wish to configure the token type to be SAML 2.0, you will need to make a copy of the policy and edit it, as described in "Cloning a Web Service Policy".

The on.behalf.of property should be set to true. The sts.auth.on.behalf.of.csf.key should be set to the user credentials available in the default Open SSO STS configuration that support the "on behalf of" use case. Namely, demo, with password set to changeit.

To grant permission to the client application to request a token from OpenSSO STS "on behalf of" a user, grant the WSIdentityPermission to wsm-agent-core.jar, as descried in "Set the WSIdentityPermission Permission".

14.2.4 SAML Bearer with Message Protection Scenario

The following procedure describes how to configure SAML bearer with message protection using WS-Trust with OpenSSO STS. This example uses a WebLogic Web service and SOA Composite client to demonstrate the scenario.

To configure SAML bearer with message protection using WS-Trust with OpenSSO STS:

The sts.auth.user.csf.key should be set to the user credentials available in the default OpenSSO STS configuration. Namely, username test, with password set to test. Though, it is not required to be set for the X509 requestor token.